CoolWeb Shredder NOT working! Hre is my log! Please help me!

tk421 · #1 May 30th, 2004, 12:25 AM

I have been infected by the ******* Cool web Search trojan. I downloaded CWshredder, but nothing happenned. I ran hijack this, and this is my log. Please help me fix this problem! Thanks in advance!

Logfile of HijackThis v1.97.7
Scan saved at 00:21:36, on 2004-05-30
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\PROGRA~1\INTERN~2\INTERN~1\Intern~1.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\DS Clock\dsclock.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Timex\Data Link USB\DataLinkLauncher.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\WinMX\WinMX.exe
C:\WINDOWS\system.exe
C:\WINDOWS\system32\wintime.exe
C:\WINDOWS\seksdialer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Karl\Local Settings\Temporary Internet Files\Content.IE5\ALX6VA10\hjtlog[1].exe
c:\hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Fichiers communs\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Internet Timer 3] C:\PROGRA~1\INTERN~2\INTERN~1\Intern~1.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [DS Clock] "C:\Program Files\DS Clock\dsclock.exe"
O4 - HKCU\..\Run: [kbdjpn] C:\WINDOWS\System32\kbdjpn.exe
O4 - HKCU\..\Run: [wpktv] C:\RECYCLER\NPROTECT\wpktv.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Timex Data Link USB Launcher.lnk = ?
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Console Java (Sun) (HKLM)
O9 - Extra button: Recherche (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0903d3b0...p/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...026.4816550926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9936854-14DC-4BD5-BAC6-10333850F5EA}: NameServer = 206.47.244.79 206.47.244.12

dvk01 · #2 May 30th, 2004, 04:09 AM

first download http://members.shaw.ca/techcd/VB_Pro...FileReader.zip unzip it and then click on search for hosts
when any hosts file is found, it will be listed in the bottom window, click on it and press the reset default button.
that will replace any bad entries with the standard windows entries
NOTE: if you use a customized hosts file to block certain sites then this will overwrite all those entries as well and you will need to re enter them

Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
These easily get lost in a Temp folder or get scattered all over the desktop and we need to empty the temp folders to remove the hijackers

Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u
O4 - HKCU\..\Run: [kbdjpn] C:\WINDOWS\System32\kbdjpn.exe
O4 - HKCU\..\Run: [wpktv] C:\RECYCLER\NPROTECT\wpktv.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0903d3b...ip/RdxIE601.cab

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT...01052409420406
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Delete these files
C:\WINDOWS\System32\kbdjpn.exe
C:\RECYCLER\NPROTECT\wpktv.exe
C:\WINDOWS\system.exe
C:\WINDOWS\seksdialer.exe

then go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it

as XP will not let you delete files less than 24 hours old as it thinks it might need them please also do this
while in the temp folder, select view and select details.
then right click a blank part and select arrange icons by, and select show in groups and modified, that will give a list of all files in date order with today at the top of the page.
select all the files/folders except the today ones and delete them all.

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

then
Reboot normally &

Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

download CWshredder from http://www.thespykiller.co.uk then Run it
Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.

Reboot After running cwshredder and as soon as possible follow this advice:
Now as CWS Hijacks are normally installed via the byte verifier exploit in M$ JavaVM, just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

Spybot - Search & Destroy from http://security.kolla.de
AdAware 6 from http://www.lavasoft.de/support/download

Run Sybot S&D

After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

then reboot &

Run ADAWARE

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
the current ref file should read at least 01R310 23.05.2004 or a higher number/later date
Then ........

Make sure the following settings are made and on -------"ON=GREEN"
From main window :Click "Start" then " Activate in-depth scan"

then......

click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

then.........

go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

then...... click "proceed" to save your settings.

Now to scan it´s just to click the "Scan" button.

When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

reboot again

then post a new hijackthis log to check what is left

tk421 · #3 May 30th, 2004, 06:14 PM

Hi again!

First of all, let me thank you for your time.

Unfortunately, the first link that you wrote simply doesn't work. What is the program that you want me to download? Is there any other place where I can get it?

Oh! I forgot to tell you that when I got infected, Norton antivirus said that it had detected Backdoor.jeem, but was unable to remove it. Is this why CWS doesn<t work? Do I really have something else? Thanks in advance for your time!

Pieter_Arntz · #4 May 31st, 2004, 07:10 AM

CWShredder ?

http://209.133.47.12/~merijn/files/CWShredder.exe

Zipped version also available at this board: http://www.wilderssecurity.com/showthread.php?t=14086

Regards,

Pieter

tk421 · #5 May 31st, 2004, 12:58 PM

I already downloaded CWShredder. It,s the following link that down<t work.

http://members.shaw.ca/techcd/VB_Pr...sFileReader.zip

(Okay, this is not HTML, but the HTML link in your post works, but doesn<t lead to any donload.)

Is that link to download CW shredder? Seems to me that it is for something else... because I just can't figure out how to follow all those files instructions from your post with CWshredder... seems like they don't apply. Lookslike I have to download some other program first...

Thanks again for your time.

Pieter_Arntz · #6 May 31st, 2004, 02:34 PM

Could you try and be a bit more specific?
I am trying to figure out what it is that won't work for you.

What instructions don't fit what you are expecting?

Regards,

Pieter

tk421 · #7 May 31st, 2004, 04:07 PM

--------------------------------------------------------------------------------

first download http://members.shaw.ca/techcd/VB_Pr...sFileReader.zip unzip it and then click on search for hosts
when any hosts file is found, it will be listed in the bottom window, click on it and press the reset default button.
that will replace any bad entries with the standard windows entries
NOTE: if you use a customized hosts file to block certain sites then this will overwrite all those entries as well and you will need to re enter them

Hi again!

What I am trying to say is that the link up there doesn<t work. So I have nothing to run. I have downloaded CWshredder from the merjin website though, but the only buttons to presse are "scan only", "check for update", and "fix". So I am wondering if the link you gave me was for downloading CWS shredder. Or maybe I have an older version? Anyway, I will try again...

tk421 · #8 May 31st, 2004, 04:19 PM

I ran CWS shredder again. It said that my computer was completely clean. It didn't detect anything. What should I do? I am always being redirected to porn site coolsearch.biz. What virus do I have? Norton detected a certain backdoor.jeem. Perhaps I have another virus? Please help!

Pieter_Arntz · #9 May 31st, 2004, 04:58 PM

rightclick here and choose Save as

That is the full link dvk01 posted. Not what you copied.

Also post a new HijackThis log when you are done.

Regards,

Pieter

tk421 · #10 May 31st, 2004, 05:38 PM

Pieter,

This link is still not working. Just what it is that you trying to get me to download? Maybe I can get it from another place? Is this CWshredder? What is the name of that program?

Thanks again for the time!

dvk01 · #11 June 1st, 2004, 01:47 AM

they seem to have taken away the zip dfile and only have a direct.exe file now so
use this link http://members.shaw.ca/techcd/VB_Pro...FileReader.exe

and then follow previous advise please

and post a new hijackthis log so we can see what is still running on the system

tk421 · #12 June 1st, 2004, 12:08 PM

This is my new log after following the instructions.

Logfile of HijackThis v1.97.7
Scan saved at 12:02:10, on 2004-06-01
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\wintime.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\DS Clock\dsclock.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Timex\Data Link USB\DataLinkLauncher.exe
C:\Program Files\Highjackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Fichiers communs\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [DS Clock] "C:\Program Files\DS Clock\dsclock.exe"
O4 - Global Startup: Timex Data Link USB Launcher.lnk = ?
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Console Java (Sun) (HKLM)
O9 - Extra button: Recherche (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...026.4816550926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

That crap is still there! The only thing that I didn't do in the instructions is to delete the kbdjpn.exe file, simply because it doesn't exist on my computer. I could find a kbdjpn.dll file, but no exe file. Also, isn't this file for the japanese keyboard layout? I always type stuff in japanese on my computer. Will I have to reinstal it again?

I spent the last 3 days trying to fix this. mayeb I don't ahev CWS ? I was told by Norton that I have Backdoor.jeem. What is this? Am I doing the right thing? Is this a new version of CWS? Should I delete the kbdjpn.dll file?

Thanks in advance.

dvk01 · #13 June 1st, 2004, 01:05 PM

kbdjpn.dll is the japanese keyboard layout
the kbdjpn.exe is very likely to be a baddie, but if you can't find it then it might not actually exist
I am suspicious of this entry
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe

there are genuine files with that name that are timers to tell you how long you have been connected, but I don't know whether yours is a genuine or a baddie pretendoing to be a good file

I suspect it to be a baddie, but to check please copy C:\WINDOWS\system32\wintime.exe and send it to submit@thespykiller.co./uk so we can check it and see if it is a baddie or not and whether it's the cause of your trouble

tk421 · #14 June 1st, 2004, 02:18 PM

dvk01,

I just sent you the file through hotmail. The hotmail server made a warning that the file may be infected. Perhaps you were right. I will be waiting for your instructions on how to remove it. Thanks again a MILLION times!

dvk01 · #15 June 1st, 2004, 02:23 PM

wintime is definitely a baddie

Kapersky says

wintime.exe - infected by TrojanDropper.Win32.Small.hh

to fix it

boot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT...01052409420406
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe

Delete these files

C:\WINDOWS\system32\wintime.exe

then
Reboot normally & seewhat happens

I'm not guaranteeing that it will completely cure the problem but it might

if not I've a few other ideas to track dow the problem, Some of the CWS hijackers are really evil and hide deeply

tk421 · #16 June 1st, 2004, 03:29 PM

Derek,

I am redoing the whole thing now, after erasing the wintime.exe file. While running Adaware, Norton detected a virus called trojan.bytefly. It said that it erased it. I will soon know if it works. Now I am still running adaware.

Thanks again for your time and patience. I am beginning to lose mine.

tk421 · #17 June 1st, 2004, 04:19 PM

STILL INFECTED!!!

I erased wintime, and ran all the cleaning softawares again, but I am sill ****ed! This is my new log. What do I do next? PLEASE HELP ME!

Logfile of HijackThis v1.97.7
Scan saved at 16:17:08, on 2004-06-01
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\DS Clock\dsclock.exe
C:\Program Files\Timex\Data Link USB\DataLinkLauncher.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Highjackthis\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Fichiers communs\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [DS Clock] "C:\Program Files\DS Clock\dsclock.exe"
O4 - Global Startup: Timex Data Link USB Launcher.lnk = ?
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Console Java (Sun) (HKLM)
O9 - Extra button: Recherche (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...026.4816550926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9936854-14DC-4BD5-BAC6-10333850F5EA}: NameServer = 206.47.244.139 206.47.244.107

dvk01 · #18 June 1st, 2004, 04:41 PM

right, let's see if we can find any hidden dll's that usually caiuse this problem

download
http://tools.zerosrealm.com/pv.zip

unzip it & double click on runme.bat
select option 1 press return & post it's log
then option 2 press return and post it's log

then option 6 & post that log

I hope one of those will find the baddie, but we are having problems finding the initiator for quite a few of the latest CWS hijackers

tk421 · #19 June 1st, 2004, 04:46 PM

Now as CWS Hijacks are normally installed via the byte verifier exploit in M$ JavaVM, just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

I didn<t do that, simply because I don't have an adiministratot account on my own computer!!! I don't remember ever writing down a password for the administrator account, and it asks me for one when I want to download. Is this critical in removing the spyware?

If it is critical, then I am ****ed, because I don't know my own password!!! What should I do then? Do I have to erase my harddrive and start over from scratch?

If I could find the person who wrote this ****, I would send him to removed. little piece of ****.

Thanks again for your time.

dvk01 · #20 June 1st, 2004, 04:53 PM

if you don't have an administrator account in XP, you can't install or remove any programs or anything

your normal account should have administrator priviledges otherwise you wouldn't have been able to use programs like adaware or hijackthis etc which write to the registry, access to the registry is only available to an administrator account

tk421 · #21 June 1st, 2004, 05:01 PM

Derek,

I intall all my programs from my user account. I don't have the password for the admin account. I don't remember ever entering one either. Is there any way to login as an administrator? How do I do it?

Anyway, should I just erase the whole harddrive and reinstall windows? It seems like I am completely ****ed now. Do I have to download the windows updates to remove this thing? Is there a fix? Now I think that I will just have to rinstall everything. PLEASE help me out of this mes!

dvk01 · #22 June 1st, 2004, 05:14 PM

if you don't remember the administarator account then try using a blank password

XP by default uses a blank password when you didn't make a password, that isd just press return to log in to the admin account

tk421 · #23 June 1st, 2004, 05:15 PM

Okay, I am now able to make the windows updates. The problem is that because of the spyware, there is some problem with som activex thing that i don't know about. Anyway, I just clicked yes at a box, and then I could download everything. I am doing that just now.

Anyway, just how can I get rid of this thing? I swear I'll even come and clean your hedgehogs litter if you can really help me with this thing! (Okay, forget the litter. How about a contribution instead?

)

tk421 · #24 June 2nd, 2004, 12:22 AM

Okay, here are the logs for the last program you recommended:

Log 1:

Module information for 'explorer.exe'
MODULE BASE SIZE PATH
explorer.exe 1000000 1019904 C:\WINDOWS\explorer.exe 6.00.2800.1106 (xpsp1.020828-1920) Explorateur Windows
ntdll.dll 77f40000 712704 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) DLL Couche NT
kernel32.dll 77e40000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) DLL du client API BASE Windows NT
msvcrt.dll 77be0000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL
ADVAPI32.dll 77da0000 647168 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) API avancées Windows 32
RPCRT4.dll 78000000 552960 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1361 (xpsp2.040109-1800) Remote Procedure Call Runtime
GDI32.dll 77c40000 262144 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1106 (xpsp1.020828-1920) GDI Client DLL
USER32.dll 77d10000 573440 C:\WINDOWS\system32\USER32.dll 5.1.2600.1255 (xpsp2.030804-1745) DLL client de l'API Utilisateur de Windows XP
SHLWAPI.dll 70a70000 413696 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1400 Bibliothèque d'utilitaires légers du Shell
SHELL32.dll 77390000 8388608 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1233 (xpsp2.030604-1804) DLL commune du shell Windows
ole32.dll 7ccc0000 1196032 C:\WINDOWS\system32\ole32.dll 5.1.2600.1362 (xpsp2.040109-1800) Microsoft OLE pour Windows
OLEAUT32.dll 770e0000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1400 Bibliothèque de l'interface utilisateur du navigateur
SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1400 Bibliothèque d'objets et de contrôles de documents de l'environnement
UxTheme.dll 5b090000 212992 C:\WINDOWS\System32\UxTheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Bibliothèque de thèmes Ux Microsoft
IMM32.DLL 76320000 114688 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Windows XP IMM32 API Client DLL
LPK.DLL 62dc0000 32768 C:\WINDOWS\System32\LPK.DLL 5.1.2600.0 (xpclient.010817-1148) Language Pack
USP10.dll 72ef0000 368640 C:\WINDOWS\System32\USP10.dll 1.0409.2600.1106 (xpsp1.020828-1920) Uniscribe Unicode script processor
comctl32.dll 78090000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 (xpsp1.020828-1920) User Experience Controls Library
comctl32.dll 77300000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
MSCTF.dll 74690000 278528 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.1106 (xpsp1.020828-1920) DLL de MSCTF Server
ophook32.dll 10000000 176128 C:\Program Files\ScanSoft\OmniPageSE\ophook32.dll 11.0 OCR Aware Hook (32-bit)
VERSION.dll 77bd0000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
msctfime.ime 8c0000 176128 C:\WINDOWS\System32\msctfime.ime 5.1.2600.1106 (xpsp1.020828-1920) Microsoft Text Frame Work Service IME
appHelp.dll 75ed0000 126976 C:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library
CLBCATQ.DLL 7a170000 528384 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53
COMRes.dll 77000000 868352 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
cscui.dll 765b0000 331776 C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) IU de cache côté client
CSCDLL.dll 76590000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Agent réseau hors connexion
themeui.dll 5b950000 466944 C:\WINDOWS\System32\themeui.dll 6.00.2800.1106 (xpsp1.020828-1920) API Windows Theme
Secur32.dll 76f40000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface
MSIMG32.dll 76310000 20480 C:\WINDOWS\System32\MSIMG32.dll 5.1.2600.1106 (xpsp1.020828-1920) GDIEXT Client DLL
Msimtf.dll 74660000 155648 C:\WINDOWS\System32\Msimtf.dll 5.1.2600.1106 (xpsp1.020828-1920) Active IMM Server DLL
USERENV.dll 75a00000 684032 C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv
ACTXPRXY.DLL 71ca0000 110592 C:\WINDOWS\System32\ACTXPRXY.DLL 6.00.2600.0000 (XPClient.010817-1148) ActiveX Interface Marshaling Library
msutb.dll 5ffb0000 196608 C:\WINDOWS\System32\msutb.dll 5.1.2600.1106 (xpsp1.020828-1920) DLL MSUTB Server
netapi32.dll 71b80000 319488 C:\WINDOWS\System32\netapi32.dll 5.1.2600.1106 (xpsp1.020828-1920) Net Win32 API DLL
SAMLIB.dll 71b50000 69632 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.1106 (xpsp1.020828-1920) SAM Library DLL
msi.dll 1440000 2101248 C:\WINDOWS\System32\msi.dll 2.0.2600.1106 Windows Installer
SXS.DLL 75e20000 688128 C:\WINDOWS\System32\SXS.DLL 5.1.2600.1106 (xpsp1.020828-1920) Fusion 2.5
ntshrui.dll 76930000 151552 C:\WINDOWS\System32\ntshrui.dll 5.1.2600.1106 (xpsp1.020828-1920) Extensions de l'interpréteur de commandes pour le partage
ATL.DLL 76ac0000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
SETUPAPI.dll 76610000 966656 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Installation de L'API Windows
NETSHELL.dll 75c80000 1658880 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.1106 (xpsp1.020828-1920) Noyau des Connexions réseau
credui.dll 76bb0000 188416 C:\WINDOWS\system32\credui.dll 5.1.2600.1106 (xpsp1.020828-1920) Interface utilisateur du gestionnaire d'informations d'identification
WS2_32.dll 719f0000 86016 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 719e0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Application d'assistance de Windows Socket 2.0 pour Windows NT
iphlpapi.dll 76d10000 94208 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2 (xpsp1.020828-1920) API de l'application d'assistance IP
WINSTA.dll 762f0000 61440 C:\WINDOWS\System32\WINSTA.dll 5.1.2600.1106 (xpsp1.020828-1920) Winstation Library
webcheck.dll 74aa0000 274432 C:\WINDOWS\System32\webcheck.dll 6.00.2800.1106 (xpsp1.020828-1920) Contrôleur de site Web
stobject.dll 74a70000 131072 C:\WINDOWS\System32\stobject.dll 5.1.2600.1106 (xpsp1.020828-1920) Objet du service d'environnement Systray
BatMeter.dll 74a60000 36864 C:\WINDOWS\System32\BatMeter.dll 6.00.2600.0000 (xpclient.010817-1148) DLL d'application d'assistance de Jauge de batterie
POWRPROF.dll 74a40000 28672 C:\WINDOWS\System32\POWRPROF.dll 6.00.2600.0000 (xpclient.010817-1148) Power Profile Helper DLL
WTSAPI32.dll 76f00000 32768 C:\WINDOWS\System32\WTSAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Terminal Server SDK APIs
system32.dll 1890000 32768 C:\WINDOWS\system32\system32.dll
comdlg32.dll 76340000 286720 C:\WINDOWS\system32\comdlg32.dll 6.00.2800.1106 (xpsp1.020828-1920) DLL commune de boîtes de dialogues
WINMM.dll 76ae0000 188416 C:\WINDOWS\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) DLL API MCI
serwvdrv.dll 5d0a0000 28672 C:\WINDOWS\System32\serwvdrv.dll 5.1.2600.0 (xpclient.010817-1148) Pilote son série Unimodem
umdmxfrm.dll 5b3c0000 28672 C:\WINDOWS\System32\umdmxfrm.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Tranform Module
wdmaud.drv 72c70000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
msacm32.drv 72c60000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Mappeur de sons Microsoft
MSACM32.dll 77bb0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Filtre audio ACM Microsoft
midimap.dll 77ba0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Mappeur MIDI Microsoft
browselc.dll 723a0000 77824 C:\WINDOWS\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Bibliothèque de l'interface utilisateur du navigateur Shell
WININET.dll 63000000 618496 C:\WINDOWS\system32\WININET.dll 6.00.2800.1405 Extensions Internet pour Win32
CRYPT32.dll 76250000 565248 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
MSASN1.dll 76230000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.1274 (xpsp2.030825-2117) ASN.1 Runtime APIs
AcroIEHelper.dll 23f0000 49152 C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll 6.0.1.2003110300 Adobe Acrobat IE Helper Version 6.0 for ActivieX
SDHelper.dll 2440000 765952 C:\Program Files\Spybot - Search & Destroy\SDHelper.dll 1, 3, 0, 12 Bad download blocker
olepro32.dll 5f140000 106496 C:\WINDOWS\System32\olepro32.dll 5.0.5014 Microsoft (R) OLE Property Support DLL
NavShExt.dll 2610000 114688 C:\Program Files\Norton AntiVirus\NavShExt.dll 9.05.15 Norton AntiVirusNAVShellExt Module
ccTrust.dll 2630000 106496 C:\WINDOWS\System32\ccTrust.dll 1.01.08 Common Client ccTrust
MSVCP60.dll 76010000 397312 C:\WINDOWS\System32\MSVCP60.dll 6.00.8972.0 Microsoft (R) C++ Runtime Library
urlmon.dll 1a400000 499712 C:\WINDOWS\System32\urlmon.dll 6.00.2800.1400 Extensions OLE32 pour Win32
DUSER.dll 6c650000 278528 C:\WINDOWS\System32\DUSER.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows DirectUser Engine
LINKINFO.dll 76920000 28672 C:\WINDOWS\System32\LINKINFO.dll 5.1.2600.0 (xpclient.010817-1148) Windows Volume Tracking
msohev.dll 325c0000 73728 C:\Program Files\Microsoft Office\OFFICE11\msohev.dll 11.0.5510 Microsoft Office 2003 component
MPR.dll 71a60000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) DLL de routeur de fournisseurs multiples
drprov.dll 75ef0000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider
ntlanman.dll 71b70000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.1106 (xpsp1.020828-1920) Gestionnaire de réseau local Microsoft®
NETUI0.dll 71c30000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) Code commun NT LM UI - Classes GUI
NETUI1.dll 71bf0000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes
NETRAP.dll 71be0000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL
davclnt.dll 75f00000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) Fichier DLL du client DAV pour le Web
MSGINA.dll 75900000 995328 C:\WINDOWS\System32\MSGINA.dll 5.1.2600.1106 (xpsp1.020828-1920) Ouverture de session Windows NT GINA DLL
ODBC32.dll 2cc0000 204800 C:\WINDOWS\System32\ODBC32.dll 3.520.9042.0 Microsoft Data Access - ODBC Driver Manager
odbcint.dll 1f850000 98304 C:\WINDOWS\System32\odbcint.dll 3.520.7713.0 Microsoft Data Access - Ressources ODBC
RASAPI32.dll 76e90000 225280 C:\WINDOWS\System32\RASAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) API d'Accès réseau à distance
rasman.dll 76e40000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access Connection Manager
TAPI32.dll 76e60000 176128 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) DLL Client de l'API Microsoft® Windows(TM) Téléphonie
rtutils.dll 76e30000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
printui.dll 74af0000 548864 C:\WINDOWS\System32\printui.dll 5.1.2600.1106 (xpsp1.020828-1920) DLL de l'IU d'impression
WINSPOOL.DRV 72f50000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.1106 (xpsp1.020828-1920) Pilote de spouleur Windows
ACTIVEDS.dll 76df0000 192512 C:\WINDOWS\System32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-1148) DLL de la couche de routage AD
adsldpc.dll 76dc0000 151552 C:\WINDOWS\System32\adsldpc.dll 5.1.2600.1106 (xpsp1.020828-1920) DLL C du fournisseur LDAP AD
WLDAP32.dll 76f10000 184320 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) DLL API LDAP Win32
CFGMGR32.dll 74a50000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-1148) Configuration Manager Forwarder DLL
WINTRUST.dll 76be0000 176128 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) API Microsoft de vérification de la confiance
IMAGEHLP.dll 76c40000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT Image Helper
rsaenh.dll ffd0000 143360 C:\WINDOWS\System32\rsaenh.dll 5.1.2600.1029 (xpsp1.020426-1800) Microsoft Base Cryptographic Provider
asfsipc.dll 70ee0000 28672 C:\WINDOWS\System32\asfsipc.dll 1.1.00.3917 ASFSipc Object
MSISIP.DLL 60990000 53248 C:\WINDOWS\System32\MSISIP.DLL 2.0.2600.0 MSI Signature SIP Provider
wshext.dll 74e10000 65536 C:\WINDOWS\System32\wshext.dll 5.6.0.6626 Microsoft (r) Shell Extension for Windows Script Host
wshFR.DLL 59000000 57344 C:\WINDOWS\System32\wshFR.DLL 5.6.0.6626 Ressources internationales de Microsoft (r) Windows Script Host
ScrTrust.dll 1320000 53248 C:\Program Files\Fichiers communs\Symantec Shared\Script Blocking\ScrTrust.dll 1, 1, 0, 126 ScriptBlocking Trust Verifier
MCPS.DLL 36d30000 102400 C:\PROGRA~1\MICROS~2\OFFICE11\MCPS.DLL 11.0.5510 Media Catalog Proxy/Stub

Log 2:

Module information for 'iexplore.exe'
MODULE BASE SIZE PATH
iexplore.exe 400000 102400 C:\Program Files\Internet Explorer\iexplore.exe 6.00.2800.1106 (xpsp1.020828-1920) Internet Explorer
ntdll.dll 77f40000 712704 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) DLL Couche NT
kernel32.dll 77e40000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) DLL du client API BASE Windows NT
msvcrt.dll 77be0000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL
USER32.dll 77d10000 573440 C:\WINDOWS\system32\USER32.dll 5.1.2600.1255 (xpsp2.030804-1745) DLL client de l'API Utilisateur de Windows XP
GDI32.dll 77c40000 262144 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1106 (xpsp1.020828-1920) GDI Client DLL
ADVAPI32.dll 77da0000 647168 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) API avancées Windows 32
RPCRT4.dll 78000000 552960 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1361 (xpsp2.040109-1800) Remote Procedure Call Runtime
SHLWAPI.dll 70a70000 413696 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1400 Bibliothèque d'utilitaires légers du Shell
SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1400 Bibliothèque d'objets et de contrôles de documents de l'environnement
IMM32.DLL 76320000 114688 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Windows XP IMM32 API Client DLL
LPK.DLL 62dc0000 32768 C:\WINDOWS\System32\LPK.DLL 5.1.2600.0 (xpclient.010817-1148) Language Pack
USP10.dll 72ef0000 368640 C:\WINDOWS\System32\USP10.dll 1.0409.2600.1106 (xpsp1.020828-1920) Uniscribe Unicode script processor
comctl32.dll 78090000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 (xpsp1.020828-1920) User Experience Controls Library
SHELL32.dll 77390000 8388608 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1233 (xpsp2.030604-1804) DLL commune du shell Windows
comctl32.dll 77300000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
ole32.dll 7ccc0000 1196032 C:\WINDOWS\system32\ole32.dll 5.1.2600.1362 (xpsp2.040109-1800) Microsoft OLE pour Windows
uxtheme.dll 5b090000 212992 C:\WINDOWS\System32\uxtheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Bibliothèque de thèmes Ux Microsoft
MSCTF.dll 74690000 278528 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.1106 (xpsp1.020828-1920) DLL de MSCTF Server
ophook32.dll 10000000 176128 C:\Program Files\ScanSoft\OmniPageSE\ophook32.dll 11.0 OCR Aware Hook (32-bit)
OLEAUT32.dll 770e0000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
VERSION.dll 77bd0000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1400 Bibliothèque de l'interface utilisateur du navigateur
browselc.dll 723a0000 77824 C:\WINDOWS\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Bibliothèque de l'interface utilisateur du navigateur Shell
appHelp.dll 75ed0000 126976 C:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library
CLBCATQ.DLL 7a170000 528384 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53
COMRes.dll 77000000 868352 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
msctfime.ime b20000 176128 C:\WINDOWS\System32\msctfime.ime 5.1.2600.1106 (xpsp1.020828-1920) Microsoft Text Frame Work Service IME
Msimtf.dll 74660000 155648 C:\WINDOWS\System32\Msimtf.dll 5.1.2600.1106 (xpsp1.020828-1920) Active IMM Server DLL
WININET.dll 63000000 618496 C:\WINDOWS\system32\WININET.dll 6.00.2800.1405 Extensions Internet pour Win32
CRYPT32.dll 76250000 565248 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
MSASN1.dll 76230000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.1274 (xpsp2.030825-2117) ASN.1 Runtime APIs
Secur32.dll 76f40000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface
SETUPAPI.dll 76610000 966656 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Installation de L'API Windows
NavShExt.dll 1590000 114688 C:\Program Files\Norton AntiVirus\NavShExt.dll 9.05.15 Norton AntiVirusNAVShellExt Module
ccTrust.dll 15b0000 106496 C:\WINDOWS\System32\ccTrust.dll 1.01.08 Common Client ccTrust
MSVCP60.dll 76010000 397312 C:\WINDOWS\System32\MSVCP60.dll 6.00.8972.0 Microsoft (R) C++ Runtime Library
ATL.DLL 76ac0000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
AcroIEHelper.dll 1610000 49152 C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll 6.0.1.2003110300 Adobe Acrobat IE Helper Version 6.0 for ActivieX
SDHelper.dll 1620000 765952 C:\Program Files\Spybot - Search & Destroy\SDHelper.dll 1, 3, 0, 12 Bad download blocker
olepro32.dll 5f140000 106496 C:\WINDOWS\System32\olepro32.dll 5.0.5014 Microsoft (R) OLE Property Support DLL
urlmon.dll 1a400000 499712 C:\WINDOWS\system32\urlmon.dll 6.00.2800.1400 Extensions OLE32 pour Win32
SXS.DLL 75e20000 688128 C:\WINDOWS\System32\SXS.DLL 5.1.2600.1106 (xpsp1.020828-1920) Fusion 2.5
shdoclc.dll 76100000 581632 C:\WINDOWS\System32\shdoclc.dll 6.00.2600.0000 (xpclient.010817-1148) Bibliothèque d'objets et de contrôles de documents de l'environnement
mlang.dll 746e0000 585728 C:\WINDOWS\System32\mlang.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL
wsock32.dll 71a10000 36864 C:\WINDOWS\System32\wsock32.dll 5.1.2600.0 (xpclient.010817-1148) DLL Socket 32-bits Windows
WS2_32.dll 719f0000 86016 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 719e0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Application d'assistance de Windows Socket 2.0 pour Windows NT
mswsock.dll 71990000 245760 C:\WINDOWS\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Fournisseur de service Sockets 2.0 de Microsoft Windows
wshtcpip.dll 719d0000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL
RASAPI32.DLL 76e90000 225280 C:\WINDOWS\System32\RASAPI32.DLL 5.1.2600.1106 (xpsp1.020828-1920) API d'Accès réseau à distance
rasman.dll 76e40000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access Connection Manager
NETAPI32.dll 71b80000 319488 C:\WINDOWS\System32\NETAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Net Win32 API DLL
TAPI32.dll 76e60000 176128 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) DLL Client de l'API Microsoft® Windows(TM) Téléphonie
rtutils.dll 76e30000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
WINMM.dll 76ae0000 188416 C:\WINDOWS\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) DLL API MCI
serwvdrv.dll 5d0a0000 28672 C:\WINDOWS\System32\serwvdrv.dll 5.1.2600.0 (xpclient.010817-1148) Pilote son série Unimodem
umdmxfrm.dll 5b3c0000 28672 C:\WINDOWS\System32\umdmxfrm.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Tranform Module
msi.dll 1e90000 2101248 C:\WINDOWS\System32\msi.dll 2.0.2600.1106 Windows Installer
USERENV.dll 75a00000 684032 C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv
rsaenh.dll ffd0000 143360 C:\WINDOWS\System32\rsaenh.dll 5.1.2600.1029 (xpsp1.020426-1800) Microsoft Base Cryptographic Provider
mshtml.dll 63580000 2818048 C:\WINDOWS\System32\mshtml.dll 6.00.2800.1400 Visionneuse HTML Microsoft (R)
MSLS31.DLL 74630000 159744 C:\WINDOWS\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file
msohev.dll 325c0000 73728 C:\Program Files\Microsoft Office\OFFICE11\msohev.dll 11.0.5510 Microsoft Office 2003 component
wdmaud.drv 72c70000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
msacm32.drv 72c60000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Mappeur de sons Microsoft
MSACM32.dll 77bb0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Filtre audio ACM Microsoft
midimap.dll 77ba0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Mappeur MIDI Microsoft
DNSAPI.dll 76ed0000 151552 C:\WINDOWS\System32\DNSAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) DNS Client API DLL
winrnr.dll 76f60000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL
WLDAP32.dll 76f10000 184320 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) DLL API LDAP Win32
rasadhlp.dll 76f70000 20480 C:\WINDOWS\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper
scrauth.dll 2840000 110592 C:\Program Files\Fichiers communs\Symantec Shared\Script Blocking\scrauth.dll 1, 1, 0, 126 ScriptBlocking Authenticator
ScrBlock.dll 2870000 122880 C:\Program Files\Fichiers communs\Symantec Shared\Script Blocking\ScrBlock.dll 1, 1, 0, 126 ScriptBlocking
wintrust.dll 76be0000 176128 C:\WINDOWS\System32\wintrust.dll 5.131.2600.0 (xpclient.010817-1148) API Microsoft de vérification de la confiance
IMAGEHLP.dll 76c40000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT Image Helper
cryptnet.dll 73ca0000 65536 C:\WINDOWS\System32\cryptnet.dll 5.131.2600.0 (xpclient.010817-1148) Crypto Network Related API
jscript.dll 6b700000 589824 c:\windows\system32\jscript.dll 5.6.0.8513 Microsoft (r) JScript
mshtmled.dll 74c20000 454656 C:\WINDOWS\System32\mshtmled.dll 6.00.2800.1106 (xpsp1.020828-1920) Composant d'édition HTML Microsoft (R)
ACTXPRXY.DLL 71ca0000 110592 C:\WINDOWS\System32\ACTXPRXY.DLL 6.00.2600.0000 (XPClient.010817-1148) ActiveX Interface Marshaling Library
vbscript.dll 73250000 479232 c:\windows\system32\vbscript.dll 5.6.0.7426 Microsoft (r) VBScript
imgutil.dll 66cc0000 40960 C:\WINDOWS\System32\imgutil.dll 6.00.2800.1106 (xpsp1.020828-1920) IE plugin image decoder support DLL
plugin.ocx 72a70000 98304 C:\WINDOWS\System32\plugin.ocx 6.00.2600.0000 (xpclient.010817-1148) Plugin
comdlg32.dll 76340000 286720 C:\WINDOWS\system32\comdlg32.dll 6.00.2800.1106 (xpsp1.020828-1920) DLL commune de boîtes de dialogues
ntshrui.dll 76930000 151552 C:\WINDOWS\System32\ntshrui.dll 5.1.2600.1106 (xpsp1.020828-1920) Extensions de l'interpréteur de commandes pour le partage

LOg 6:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

Thanks again a million times for the help! I hope that your hedgehogs are doing well now!

dvk01 · #25 June 2nd, 2004, 12:42 AM

nothing showing in any of the logs

I'm baffled, let's see if anyone else has any ideas

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search